Microsoft’s Failure to Prioritize Security Puts Everyone at Risk

It has been a very busy year when it comes to Microsoft zero-day attacks. According to KrebsOnSecurity, May is the only month in 2021 that Microsoft didn’t release a patch to defend against at least one zero-day exploit. And Microsoft vulnerabilities are playing a bigger role in the spate of ransomware infections organizations are grappling with than most probably are aware of (more on that below).

Artboard 1-2The issue is not the mere presence of vulnerabilities in Microsoft code - that’s something that unfortunately is almost unavoidable when you’re dealing with billions of lines of code, and most developer shops make a serious effort to weed them out before the code goes into production. 

Until we find a way to reliably automate vulnerability remediation at scale, there are going to be exploitable bugs now and again.

The issue here is Microsoft’s lackluster track record in assuring fewer vulnerabilities make it to market so their customers can be more secure - and it’s security that is the real rub here. 

Over the last few years, Microsoft has been making huge investments in security, but those investments are not focused on making their products more secure, they are directed at developing new product offerings in the security space.

To be clear here, Microsoft as an organization has made a conscious decision to forgo improving their product security in favor of going after new revenue streams as a security vendor. 

So essentially, Microsoft - arguably the most prolific and ubiquitous IT products and services providers on the planet, and thus the biggest target for attackers - is looking to cash-in by offering to protect everyone from the vulnerabilities they introduce into the market. 

Enlarge the infographic here... 

This is akin to a fast food chain deciding not to make their food healthier but instead choosing to invest in fitness centers, or Big Tobacco funding cancer research instead of just ceasing to sell cancer-causing agents. And, after they have successfully conditioned us to accept the fact that their products are perpetually vulnerable with the monthly Patch Tuesday fire drills, they now want organizations to trust that they are the best choice to protect their most precious assets? 

No matter how you justify the “savings” in bundling IT and Security spend together with a (still very expensive) E5 license, the fact is you’d essentially be paying Microsoft twice to protect you from… Microsoft.

Flashback to the 1990’s

People have been discussing Microsoft’s weak security practices since as far back as the 1990s. In September 1999, for instance, CNN referenced the attention Microsoft was receiving at the time for security vulnerabilities affecting Internet Explorer, Office, and Hotmail. Several security experts went on to declare that Microsoft’s security was worse than other software providers.

Internationally renowned computer security expert Bruce Schneier was one of them.

"It's the dominant operating system out there, so it's going to attract the attention. On the other hand, Windows has extremely sloppy security," he said, as quoted by CNN. "Microsoft's operating system was never designed with security in mind. For Microsoft, security is always an afterthought." 

Schneier wasn’t alone in this viewpoint. Several years after CNN came out with its report, Microsoft faced a class-action lawsuit in California that called out its weak emphasis on security. The lawsuit claimed that the tech giant’s software was vulnerable to viruses capable of producing “massive, cascading failures” on networks worldwide, wrote WIRED. It also decried Microsoft’s security warnings as too complex to be useful to anyone other than malicious actors looking to exploit flaws in the company’s operating system.

Fast Forward Back to 2021

Apparently, not much has changed. In fact, Microsoft’s poor security practices continue to make the company an even bigger target - but now it’s the ransomware gangs who are capitalizing on Microsoft’s lack of commitment to security. This was especially evident in March when digital gangs decided to launch their own attack campaigns exploiting ProxyLogon, a series of four Microsoft Exchange Server software vulnerabilities first exploited by a threat group called HAFNIUM

One of those attack groups leveraged residual webshells left over from the HAFNIUM attacks along with other resources to target affected organizations with DearCry Ransomware. At that time, these malicious actors had impacted organizations in the United States, Germany, Indonesia, and elsewhere using the ransomware.

The hits kept coming in the months that followed, and things particularly ramped up after the disclosure of ProxyShell, an attack method also involving Microsoft’s Exchange Server software. In August, for example, Bleeping Computer reported that some attackers were using ProxyShell to assume control of an organization’s on-premises Exchange Server. 

They then staged the PetitPotam network attack so that they could gain leverage over the domain controller for the Windows domain. This gave the attackers all they needed to deploy a new ransomware called LockFile across victims’ entire networks.

About a month after that, SiliconANGLE wrote that affiliates of the Conti Ransomware-as-a-Service (RaaS) operation were in the process of staging their own ProxyShell attacks. Some of those attacks proceeded quickly, installing a second web shell just minutes after having finished installing the first. Such a pace enabled the attackers to map their victim’s network for computers, domain controllers, and domain administrators in 30 minutes. 

Then more recently, researchers from Guardicore Labs shared analysis of a design flaw issue with Autodiscover, the protocol that allows devices to authenticate to Microsoft Exchange Servers and automatically configure client access, which can be exploited to leak web requests and allow credentials to be captured. Guardicore researchers captured more than 370,000 Windows domain credentials, and nearly 100,000 unique sets of credentials over just a few months. 

OK, another vulnerability, so just patch it, right? Well, Microsoft tried to deny any knowledge of the issue, except that defense quickly unraveled when the Guardicore researchers pointed out that the vulnerability was first disclosed back in 2017, having been the subject of a well publicized Blackhat Asia talk. So Microsoft had nearly 1,500 days to address the problem - but they didn’t.

Lastly, although there are hundreds if not thousands of more examples, a recent HPE study noted that more than 50% of all ransomware attacks gained access to a victim’s network through an unsecured Microsoft Remote Desktop Protocol (RDP) connection. Attackers can use that entry vector, among others, as a way of accessing a victim’s network, discovering whatever Microsoft tools they have deployed, and then launch their attacks.

In addition, a recent analysis of over 80 million ransomware files by Google researchers revealed that Windows-based executables and dynamic link libraries accounted for fully 95% of all the ransomware files examined, further evidence that Microsoft products are the best infection vector for ransomware attacks.

Security Should Be Priority One for a Security Vendor

So this brings us back to the issue at hand: does Microsoft’s extensive track record with introducing vulnerabilities (and sometimes actively ignoring them) make them the best choice to secure your company? What if they offer to bundle all services with a comprehensive E5 license, does saving a little on an already overpriced license give you the confidence you need to feel like your security is Microsoft’s first priority?

To be clear, there are a lot of really bright, really talented, and really dedicated professionals working in the security division at Microsoft who take your security seriously and are dedicated to fighting the good fight for you - no fingers are being pointed at them. They are our colleagues, friends, and fellow defenders who deserve the highest respect.

This is a discussion about Microsoft the Organization and whether it is truly committed to your security, or if they are trying to have it both ways by pushing security products that - if deployed - will be working overtime to defend your organizations against attacks that are overwhelmingly directed at exploiting vulnerabilities in Microsoft’s other products.

There are a lot of competing companies in the security space, and most any reputable security vendor is a good choice if they are the right solution for your organization's specific needs and use cases. And, while we are all competing for your business, at the end of the day we are also all on the same side as defenders united against the adversary. If Microsoft wants to be a serious contender in the security space, they should first focus on getting their own house in order before you invite them to do work on yours.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed